Today, information security is one of the critical concerns in computer networks and services. Various methods have been developed for protection of various resources and services; usually these methods include implementation of one or more security policies, combinations and hierarchies thereof. Typically, a security policy includes control of inbound and outbound traffic related to certain resources. Such control is enforced with the help of a security gateway, which may comprise various devices and/or combinations thereof (e.g. switches, routers, firewalls, VPN devices, load balancers, etc.).
However, configuring the security gateway, especially in complex network architecture, presents an increasing challenge to security departments worldwide. The problem has been recognized in the Prior Art and various systems have been developed to provide a solution, for example:
U.S. Pat. No. 6,182,226 (Reid et al.) entitled “System and method for controlling interactions between networks” discloses a firewall used to achieve network separation within a computing system having a plurality of network interfaces. A plurality of regions is defined within the firewall and a set of policies is configured for each of the plurality of regions. The firewall restricts communication to and from each of the plurality of network interfaces in accordance with the set of policies configured for the one of the plurality of regions to which the one of the plurality of network interfaces has been assigned.
U.S. Pat. No. 7,032,022 (Shanumgam et al.) entitled “Statistics aggregation for policy-based network” discloses a unified policy management system for an organization including a central policy server and remotely situated policy enforcers. A central database and policy enforcer databases storing policy settings are configured as LDAP databases adhering to a hierarchical object oriented structure. Changes in the policy settings made at the central policy server are automatically transferred to the policy enforcers for updating their respective databases. Each policy enforcer collects and transmits health and status information in a predefined log format and transmits it to the policy server for efficient monitoring by the policy server. The system also provides for dynamically routed VPNs where VPN membership lists are automatically created and shared with the member policy enforcers. Updates to such membership lists are also automatically transferred to remote VPN clients. The system further provides for fine grain access control of the traffic in the VPN by allowing definition of firewall rules within the VPN.
U.S. Pat. No. 7,225,255 (Favier et al.) entitled “Method and system for to controlling access to network resources using resource groups” encloses a method and device for configuring a firewall in a computer system employing a rule for controlling access between a source resource and a destination resource only if said source and destination resources belong to the same protection domain. At a central configuration machine, an access control rule is specified, including a scope, for each resource group, the scope, and thus the access control rule is capable of being interpreted by each of the plurality of firewalls differently depending on the value of the scope and network resource characteristics associated with each of the plurality of firewalls.
US Patent Application No. 2006/259,955 (Gunther et al.) entitled “Attribute-based allocation of resources to security domains” discloses a method for the optimized assignment of access rights to IT resources managed by means of a security management system and to a correspondingly adapted security management system. According to the invention a security domain is defined on the basis of at least one attribute of IT resources and a plurality of authorization profiles is provided for the security domain. User groups are assigned to the domain and linked to profiles provided for the domain. IT resources for which the security management is responsible are allocated to the domain in accordance with the attribute defining the security domain, as a result of which user groups assigned to the domain receive access rights to the IT resources allocated to the domain in accordance with the profiles linked to them. The invention permits the user groups to be issued with authorizations that are tailored to the requirements of the individual groups.
US Patent Application No. 2006/248,580 (Fulp et al.) entitled “Methods, systems, and computer program products for network firewall policy optimization” discloses a method and system for firewall policy optimization. According to one method, a firewall policy including an ordered list of firewall rules is defined. For each rule, a probability indicating a likelihood of receiving a packet matching the rule is determined. The rules are sorted in order of non-increasing probability in a manner that preserves the firewall policy.
US Patent Application No. 2006/031,472 (Rajavelu et al.) entitled “Network data analysis and characterization model for implementation of secure enclaves within large corporate networks” discloses a database storing information about known hosts, the applications or services they host, and the ports (known as confirmed ports) used by the applications/services. A static traffic analyzer analyzes traffic data and identifies packets communicating with (either sent to or received from) confirmed ports on hosts. A dynamic traffic analyzer analyzes the traffic data and identifies packets communicating with unconfirmed ports on hosts. A host identifier uses the resulting static and dynamic traffic to identify hosts for which firewall rules should be generated.